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Abstract. We present seven theorems on the structure of prime order torsion 
points on CM eUiptic curves defined over number fields. The first three results 
refine bounds of Silverberg and Prasad- Yogananda by taking into account the 
class number of the CM order and the splitting of the prime in the CM field. In 
many cases we can show that our refined bounds are optimal or asymptotically 
optimal. We also derive asymptotic upper and lower bounds on the least degree 
of a CM-point on Xi{N). Upon comparison to bounds for the least degree for 
which there exist infinitely many rational points on Xi(N), we deduce that, 
for sufficiently large N, Xi(N) will have a rational CM point of degree smaller 
than the degrees of at least all but finitely many non-CM points. 

1. Introduction 

1.1. Notation. 

For d G Z+, we define the following quantities: 

T{d): the supremum of the orders of the groups E{K)[tors\ as K ranges over 
all number fields of degree d and E ranges over all elliptic curves defined over K. 

N{d): the supremum of all orders of iiT-rational torsion points P G E{K), with 
K and E varying as above. 

P{d): the supremum of all prime orders of iC-rational torsion points P G E{K), 
with K and E varying as above. 

We shall have occasion to consider analogues T^,{d), N^{d), (d) of the above 
quantities, which are defined by restricting to some subset of elliptic curves E/^- 
Specifically we will be interested in the set of all elliptic curves with integral mod- 
ulus j{E) and also the set of all elliptic curves with complex multiplication. 

1.2. Background on torsion. 

Since the torsion subgroup of an elliptic curve over a number field is a finite abelian 
group with at most two generators, we have 

(1) P{d) < N{d) < T{d) < N{df. 

The uniform boundedness theorem of L. Merel |Mer96| asserts T{d) < oo for 
all d e Z+. Using ([T]), the finiteness of P{d) and N{d) follows immediately. 



Merel's proof gives an explicit upper bound on T{d), which was then improved 
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by work of Merel, Oesterle and Parent. For instance, Parent showed }Par99j that if 
a power p° of a prime p > S divides the order of the torsion subgroup of an eUiptic 
curve over a degree d number field, then 

p" < 65(3'' -l){2df. 

However, it is a "folk conjecture" that there exists a constant a such that T{d) — 
0{d'^): thus it seems that Merel's bounds are a full exponential away from the 
truth. In fact, we record here a more precise conjecture: 

Conjecture 1. 

There is a C2 > such that T{d) < (^2^ log log d for all d e Z+ . 

Conjecture [1] is very close to being the most ambitious conceivable one: we shall 
show (Theorem 6) that there is a positive constant Ci and a strictly increasing 
sequence {c?n}^i of positive integers such that T(c?„) > Ci c?„^/log log dn for all n. 

Unfortunately it is not currently tenable to seek numerical confirmation for Con- 
jecture [T^). The only values of d for which any of T[d), N[d), P{d) are known are: 

r(l) = 16, iV(l) = 12, P{1) = 7 ( |Maz770 . 

r(2) = 24, iV(2) = 18, P(2) = 13 ( |Kam86| . |Kam92| . [KMHSQ . 

P(3) = 13 r |Par03j l. 

Since further direct computation of these quantities is out of current reach, it seems 
that one must find some more tractable sub-problem and examine the extent to 
which it is representative of the general case. 

One approach is to concentrate on the case of elliptic curves with algebraic inte- 
gral j-invariant (henceforth integral modulus) . In this case we write Tim (c?) , Niuid), 
Piuid) for the order, exponent and largest prime dividing the order of an elliptic 
curve E with integral modulus defined over any number field of degree d. For such 
curves the uniform boundedness is much easier to prove. Moreover, in the integral 
modulus case the computation of all possible torsion subgroups over Q was done by 
G. Frey in 1977 |Fre77| . Analogous computations in higher degree are significantly 
more difficult and have been the subject of several papers of H. Zimmer and his 
collaborators: the 1976 paper [Zim76| lays foundations by giving a generalization of 
the Lutz-Nagell restrictions on torsion points to arbitrary number fields; the 1989 
paper [MSZ89] enumerates the torsion subgroups of elliptic curves with integral 
modulus over quadratic fields {d = 2); special kinds of cubic fields {d — 3) were 
considered in 1990 |FSWZ90] and the case of a general cubic field was completed 
in 1997 |PWZ97| : only a very restricted class of quartic fields has ever been consid- 
ered, so already the case d = 4 seems to be out of reach. 

However, Hindry and Silverman have shown |HS99| that 

(2) yd e Z+, TiM(d) < 1977408dlogd, 

(3) yd > 25, Tiuid) < 498240(ilogd. 

Another idea is to search for all finite groups which arise as the torsion subgroup 
of infinitely many elliptic curves defined over number fields of degree d. In this 
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case the computations in degree up to d = 4 have been done by Jeon, Kim, Park 
and Schweizer [JKS04| . |JK06| . |JKP06| . and reasonably good asymptotic bounds 
can be obtained by applying theorems of Faltings and Abramovich. This work is 
described in some detail below. 

In this paper we shall usually restrict to elliptic curves with complex multiplication. 
This is a very special subclass of the class of integral moduli curves, comprising for 
each degree d only finitely many j-invariants (but infinitely many nonisomorphic 
twists for a given j-invariant). Accordingly, we are able to derive more precise 
results than in the general case. We also take up the task of relating the special 
case of CM points to the general case - not definitively, of course, but in a depth 
and level of detail which we feel deserves a place in the literature on the subject. 

1.3. Prior results. 

Let be a field of characteristic and E^p an elliptic curve. We say that E has 
complex multiplication (henceforth CM) if the ring End£' of endomorphisms 
of E defined over an algebraic closure of F is strictly larger than Z. In this case, 
End°(i;) := End{E) ®i Q is an imaginary quadratic field Q(\/Z)) and End(i?) is 
an order in End"(£'). 

As alluded to above, we write TcM{d)^ Ncuid), Pcuid) for, respectively, the 
largest order, exponent and prime dividing the order of any CM elliptic curve de- 
fined over any number field of degree d. 

The j-invariant of a CM elliptic curve is an algebraic integer |Sil941 Thm. II. 6.1], 
so that ([2), (131) we have #i?(F)[tors] = 0{d\ogd). If we restrict to the order of a 
single torsion point - i.e., to NcMid) rather than Tcmid) - we can do qualitatively 
better: one knows that Ncuid) = o{dlogd). More precisely: 

Theorem. (Silverberg [Sbg88| , Prasad- Yogananda [PYOlj ) Let F be a number field 
of degree d, and let E/p be an elliptic curve with complex multiplication by an order 
O in the imaginary quadratic field K. Let w = w{0) = =ffO^ (so w ^ 2, 4 or Q) 
and let e be the maximal order of an element o/i?(i^) [tors]. Then: 
o-) ^(g) ^ ''^d (ip is Euler's totient function). 

b) IfFD K, then ip{e) < f d. 

c) If F does not contain K, then (p{^E{F)[tors]) < wd. 

Applying the theorem necessitates separate consideration of three cases: 




(6) ip{e) < 2d. 

Let us call gl), (P and ^ the SPY bounds. 
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Recall the classical result ip{N) > ^ (e.g. lHW . Thm. 328]). From this 

and the SPY bounds we deduce that there exists a constant C such that 

(7) Ncuid) < Cdloglogd. 

This improves upon what one gets by applying ([2]): 

Ncuid) < Niuid) < Tiuid) < 1977408rflogd. 

Theorem |6] below asserts A^cm (d) ^ o{d\/log log d) , so that our understanding of 
the true lower order of magnitude of Nqm (d) is rather good. On the other hand, it 
is vexing that we cannot get any improvement on 

Tcuid) <TiMid) =0{d\ogd) 

by applying the methods of SPY, or indeed by any other means that we know. 

1.4. Computational results. 

We briefly report on some calculations done by the University of Georgia Num- 
ber Theory VIGRE Research Group, which has implemented an algorithm (c.f. 
[ClaOlj ) to do the following: given a positive integer d, compute the complete list 
of isomorphism classes of finite abelian groups which arise as the full torsion sub- 
group of some CM elliptic curve with defined over any number field of degree d. 

This algorithm requires knowledge of the CM j-invariants (more precisely, their 
minimal polynomials) of degree d' strictly dividing d, so in full generality requires 
an enumeration of the set of imaginary quadratic fields with any given class number, 
i.e., an effective solution of the Gauss class number problem. Work of Watkins 
[Wat 04 j gives a solution to this problem up to class number 100, so the data from 
ibid, enable us, in theory, to run the algorithm for all degrees up to d = 201. But in 
fact this is much more class number data than we have been able to use: one of the 
steps in our algorithm is the computation of an explicit polynomial PN{x,y) = 
which (birationally) defines the modular curve Xi(N), a computation which be- 
came prohibitively expensive for us around N — 79. The complete list of possible 
torsion subgroups of CM elliptic curves defined over any degree d number field has 
been computed by our VIGRE research group for 1 < d < 13 (but will be described 
elsewhere). The case of d = 1 is a 1974 result of L. Olson |01s74| . For d = 2 and 3 
the results are subsumed by the calculations of |MSZ89j . |PWZ97j . To the best of 
our knowledge the cases 4 < d < 13 had not been computed before. 

Upon restriction from Tcuid) to Pcuid), the above problem can be rephrased 
as follows: for a fixed d, find all prime numbers N such that the modular curve 
Xi{N) has a CM point of degree d. It is natural to consider also the following 
"converse problem" : for fixed prime N, find the smallest degree of a CM point on 
Xi[N). Our algorithm works equally well on this converse problem, and we present 
the solution, for all N < 79, in the following tableQ 

TABLE 1 

iV = 2: d^l, D = -3, -4, -7, -8, -12, -16, -28 
iV = 3: d^l, -12, -27 



Some preliminary calculations were done by the first author. The calculations were rechecked 
and completed by Steve Lane, who also pointed out - several times — an error in the preliminary 
calculations at = 11, which turned out to be very interesting and significant. 
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N = 5: 


d = 


= 2, D 




-4 


N = 7: 


d = 


= 2, D 




-3 


TV = 11 


d 


= 5, D = 


= -11. 


TV = 13 


d 


^A,D = 


= -3. 


TV = 17 


d 


= 8, L» = 


= -4. 


TV = 19 


d 


= 6, D = 


= -3. 


TV = 23 


d 


= 22, 


D 


= -7,- 


TV = 29 


d 


= 14, 


D 


= -4. 


TV = 31 


d 


= 10, 


D 


= -3. 


TV = 37 


d 


= 12, 


D 


= -3. 


TV = 41 


d 


= 20, 


D 


= -4. 


TV 43 


d 


= 14, 


D 


= -3. 


TV = 47 


d 


= 46, 


D 


= -11,- 


TV = 53 


d 


= 26, 


D 


= -4. 


TV = 59 


d 


= 58, 


D 


= -8,- 


TV = 61 


d 


= 20, 


D 


= -3. 


TV = 67 


d 


= 22, 


D 


= -3. 


TV = 71 


d 


= 70, 


D 




TV = 73 


d 


= 24, 


D 


= -3. 


TV = 79 


d 


= 26, 


D 


= -3. 



11,-19,-28,-43,-67. 



-11, 



-43,-67,-163. 
-43,-67. 



-11,-28,-67,-163. 



Looking through the data one observes that most, but not aU, of the time, the 
SPY bounds are not sharp, so it is natural to ask for refinements. In the next 
section we shall present several such results. Theorem [2] refines the SPY bounds, 
by including a factor of the class number h{D) as well as giving a much larger 
lower bound in case (f ) = -1. Theorem[3] gives conditions under which one gets 
an extra factor of 2 in the SPY-type bounds. Moreover, for TV sufficiently large 
compared to D, the bounds of Theorem [3] are optimal. 

1.5. Theoretical results I: Optimal bounds on prime order torsion points. 
Theorem 1. 

a) For every prime TV = 1 (mod 3), there exists an elliptic curve E over a number 
field K of degree , with j{E) = 0, and with a K -rational N -torsion point, 
h) There exists an absolute constant Nq such that for all primes TV > TVq.' 
(i) if Xi{N) has a CM point of degree d, then d > ; 

(a) if Xi{N) has a CM point of degree d < then d = and j{E) = 0. 

Remark 1.1: The data suggests that it may be possible to take TVo = 5. 

Theorem 2. Let Ok be the maximal order in K — (JI^/D), F a number field, and 
E/p an elliptic curve with Ok multiplication. Let w{K) = ^O^. Suppose that 
-B(i^)[tors] contains an element of odd prime order N . Define 6{F,K) to be 1 if K 
is contained in F and 2 otherwise, 
a) (^) — I, then 

5{F,K)h{K) 



(TV-1) 



w{K) 



\F 



b) If i§)^0, then 



(TV-1) 



(3-S{F,K))h{K) 
w{K) 



[F 
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cj = then 

iN'-l).h^\[F:Q]. 
wyK) 

It is interesting to compare this with the SPY-bounds. Our Theorem [5] is more 
special in that it only applies to the case of torsion points of odd prime order 
(although we believe the methods should generalize to arbitrary N). In the case of 
prime N ^ it does not strengthen the SPY-bound - indeed, both bounds agree in the 
case when N \ Z?, but it significantly refines the SPY-bounds, making clear that 
they are in some sense a "worst case scenario." 

Theorem 3. Let O he an order in the field K — Q{^/D), 'w{0) be the cardinality 
of its unit group and h{0) = # Pic(C') its class number. Then: 

a) For every odd prime N which splits in K , there exists an O-CM elliptic curve 
defined over a number field of degree 2{N — 1) • with a rational N -torsion point. 

b) There is an Nq — Nq{D) such that for N > Nq, the least degree of an 0{D)-CM 
point on Xi{N) is 2(N — 1) • ^^j^ if N splits in K and (A^^ — l) otherwise. 

Remark 1.2: Taking O to be the quadratic order of discriminant —3 in Theorem[3K), 
we recover Theorem [1^) . The other parts of Theorem [T] are quick consequences of 
Theorem 13] together with the SPY-bounds, but it seems worthwhile to call attention 
to the extremal behavior coming from the quadratic orders with nontrivial units. 

1.6. Theoretical results II: CM points of small degree on Xi{N). 

Throughout this section N denotes a prime number different from 2 and 3. 

Define dcyi{N) to be the least degree of a CM point on Xi{N). 

Theorem [T] shows that the smallest (resp. second smallest) possible degree of a 
CM point on Xi{N) is ^^^-^ (resp. ^^^j^), and shows that this degree can be at- 
tained iff = 1 (mod 3) (resp. iV = 1 (mod 4)). In particular, as N ranges over 
all primes N which are not 11 (mod 12), the least degree of a CM point on Xi{N) 
is linear in N . Notice that the excluded set of primes = 11 (mod 12) has den- 
sity \ in the set of all primes. By Theorem [21 the problem of bounding the upper 
order of dcM^N) as N ranges over prime numbers, comes down to finding, for a 
given prime N, an imaginary quadratic field ^{^/D) such that (^) = —1 and with 
class number h{D) as small as possible. By applying what is known about these 
elementary - but difficult! - analytic problems, we arrive at the following result. 

Theorem 4. a) For any e > 0, there exists Ce such that for any prime N , the curve 
Xi{N) has a CM point of degree at most C^N'^+''/'^+\ where c/2 = « .078. 

b) Assuming the Generalized Riemann Hypothesis (GRH), the least degree of a CM 
point on Xi{N) is O(iVlogiVloglogiV). 

However, dcM{N) is not bounded by a linear function of N. 

Theorem 5. For any C > 0, there is a positive density set V of prime numbers 
such that for all N € V , the least degree of a CM point on Xi(N) exceeds CN . 
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Theorem 6. a) There exists C > such that for any F/Q with [F : Q] = d and 
any CM elliptic curve E/p, one has exp(_B(i^)[tors]) < Cdloglogd. 
b) There exists a sequence Fn of number fields, of degree dn = [Fn : Q] tending to 
infinity, and CM elliptic curves En/ Fn such that 

exp(£;„(i^„)[tors]) > dn\/\Qg \og dn- 

We have already seen that part a) is a consequence of the SPY bounds; we repeat it 
here for the sake of parallehsm. Neither is part b) very difficult: all in all Theorems 
m and El seem to lie significantly deeper. 

f.7. Theoretical results III: small degree points on Xi{N): comparison 
vifith non-CM case. 

The overarching problem is to understand all points of degree d on the family 
of modular curves Xi{N). Merel's theorem asserts that for fixed d the set of all 
such points on Xi{N) is finite, so it is natural to enumerate this list. Conversely, 
one can fix N and ask for the least degree of a noncuspidal point on Xi{N). In 
the previous section we presented results giving rather tight estimates on the least 
degree of a noncuspidal CM point. Therefore the key issue is: how many non-CM 
points are there of small degree? 

The next result gives a precise sense in which d w A^^ is the threshold between 
small degree and large degree: 

Theorem 7. Let N > 3 be a prime number. Then: 

a) The set of points of Xi{N) of degree less than \ -^^{N^ — is finite. Assuming 
Selberg's eigenvalue conjecture the bound can be improved to l-^iN"^ — 1)1- 

b) The set of points of Xi(N) of degree at most ^ ^^12'^^^ infinite. 

Remark 1.3: The proof of part a) uses deep theorems of Faltings, Frey and Abramovich, 
but the deduction itself is now routine. Essentially the same result appears as 
[JKS041 Cor. 1.4], the only difference being that we get a sharper bound by restric- 
ing to prime N . Part b) is much more elementary. Nevertheless, it is in the spirit 
of this paper to pursue quantitative rather than just qualitative results, and in this 
regard the fact that we can compute the "threshold" value of d sharply to within 
a factor of 32 seems interesting. For instance, it raises the question of whether the 
truth lies closer to -^N"^ or to -j^^"^ ■ 

Remark 1.4: Selberg's eigenvalue conjecture states that for a modular curve Y{V) := 
T\H associated to a congruence subgroup F C PSL2{^), the least positive eigen- 
value Ai of the hyperbolic Laplacian on Y{T) satisfies \i > j. Selberg himself 
showed Ai > j^; in 1994, Luo, Rudnick and Sarnak showed Ai > this the 
bound we use in our unconditional estimate. As of this writing, the best known 
estimate on Ai is due to Kim and Sarnark: Ai > > 0.238. Thus the im- 

provement in the upper bound of part a) gained by assuming Selberg's conjecture 
is small compared to the discrepancy between the upper bound of part a) and the 
lower bound of part b), so ought not to be the focus of our concern. 

Application: For N = 127 the least degree of a rational CM point is 42, whereas 
- assuming Selberg's eigenvalue conjecture - the bound of Theorem [7^) gives that 
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there are only finitely many points (if any, of course!) on Yi(127) of any smaller 
degree. For all larger N = 1 (mod 3), the set of points whose degree is less than or 
equal to the minimal degree of a CM point is finite. 

On the other hand, Theorem[7|D) guarantees that there are infinitely many points 
of degree less than the smallest CM point for N < 13. When = 17 the bound 
ensures infinitely many points of degree at most 8, and the table above shows that 
the least degree of a rational CM point is 8. But in fact there exists a degree 4 
map from Xi{17) to the projective line, so that there are infinitely many rational 
points of degree at most 4. This suggests that there is room for improvement in 
the bound of Theorem [7)3). 

Write dcM{N) for the least degree of a CM point on Xi{N) and doo{N) for the least 
degree d such that Xi {N) has infinitely many points of degree at most d. Then by 
TheoremU dcuiN) = 0{N^-°'^^-) whereas d^{N) > l^^iN^ -I)] - l- It follows 
that there exists a prime iVo such that dcuiNo) > doo{No) and dcmiN) < doc{N) 
for all N > Nq. In other words, for all sufficiently large primes, there are only 
finitely many points on Xi{N) of degree smaller than that of any CM point. 

The prime A^o of the previous paragraph is effectively computable. Indeed, B. 
Cook and A. Rice are engaged in such a computation. Their preliminary work 
shows that one can take - unconditionally - Nq = 5.5 x 10^. This Nq is small 
enough to allow case-by-case analysis, and we believe that the final result will be 
more like Nq w 500. The work will appear elsewhere. 

1.8. Dramatis Personae and Acknowledgments. 

The 2007-2008 UGA VIGRE research group in number theory included: 
Group leaders (year long): 

Pete L. Clark (assistant professor), Patrick Corn (postdoc) 
Graduate students (year long): 

Steve Lane, Jim Stankewicz, Nathan Walters, Steve Winburn, Ben Wyser 
Graduate students (spring semester only): Brian Cook 
Undergraduate student (year long): Alex Rice. 

For a 21st century paper on elliptic curves, the theory we need here is relatively 
middlebrow and classical: most of the results we need go back, in some form, to 
Deuring or even Weber. Each of the individual results we use can be picked up by 
a hard-working second year graduate student, but to master them all in a limited 
amount of time while doing research including substantial computer programming 
is a taller order. Part of the goal of this project was indeed to foster learning by 
doing, and we have aimed for an exposition which maximizes accessibility to the 
students in the seminar and other early career graduate students. 

Many of the participants were assigned specific subproblems which they wrote 
up formally and have been incorporated into this paper. Specifically, we wish to 
acknowledge the contributions of Steve Lane in computing Table 1, of Alex Rice in 
§2.4, of Jim Stankewicz in §5.1 and of Brian Cook in §8. 

The first author would like to thank all the participants in the seminar for an 
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enlightening and stimulating experience; this paper represents a substantial ad- 
vancement of his prior work in this area, which would probably not have been done 
were it not for the interest and involvement of the students. 

2. Background on elliptic curves and complex multiplication 

2.1. Some facts about elliptic curves with complex multiplication. Let 

E be an elliptic curve over any field K. A /C-rational endomorphism of E is a 
morphism of iC-varieties (p : E ^ E such that <p(0) = O. Then (p induces an 
endomorphism (i.e., self-homomorphism) on the group E{L) of i-rational points, 
for any field extension L oi K. By definition, the endomorphism ring of E is 
the set of all iiT-rational endomorphisms of E, endowed with the structure of a 
ring under pointwise addition and composition. As for any ring, there is a natural 
homomorphism t : Z ^ End(£'), in which the image of n is the multiplication by n 
map on E, traditionally denoted [n]. 

In all cases (p is an injection and End(i?), as an abclian group, is a free Z- module 
of rank 1, 2 or 4. When End(i<^) has rank 4, the endomorphism ring is noncom- 
mutative, an order in a definite rational quaternion algebra. Such an elliptic curve 
is said to be supersingular; supcrsingular elliptic curves over K exist iff K has 
positive characteristic. So if K has characteristic 0, we have either End{E) = Z, 
or End{E) = as a free abelian group; in the latter case End(£^) is isomorphic to 
an order O of an imaginary quadratic field Q{y^—n), and "thus" we say that E has 
complex multiplication. More precisely, we say E has O-CM if End(-E) = O. 
Since the ring O has exactly one nontrivial automorphism - complex conjugation 
- if End(£J) = O, there are two such isomorphisms. 

Let Dq be a fundamental imaginary quadratic discriminant, i.e., the discrim- 
inant of the full ring of integer of some imaginary quadratic field. More concretely, 
Dq is a negative integer which is either (i) congruent to 1 (mod 4) and squarefree, 
or (ii) congruent to (mod 4) and such that ^ is squarefree. Every imaginary 
quadratic order O in Qiy'—Do) is of the form Z[/t„] for a uniquely determined 
/ G Z"*", the conductor of O. Thus an order is determined by its fundamental 
discriminant Dq - the discriminant of the full ring of integers of O (g) Q - and /. 
On the other hand, an order is also determined by its discriminant D = ,pDo. 
This means that for any imaginary quadratic discriminant D - i.e., an integer D 
with D < and D = 0,1 (mod 4) - there exists a unique (up to isomorphism) 
imaginary quadratic order 0{D) of discriminant D. 

For any integral domain R, one may consider its Picard group Pic{R), of rank 

one locally free i?-modules under tensor product. Otherwise put, Pic(i?) is the 
quotient of the group of invertible fractional i?-ideals by the subgroup of principal 
i?-ideals. The class number h{R) is the cardinality of Pic(i?). For an arbitrary 
domain i?, the class number may well be infinite, but it is finite when R is an order 
in any algebraic number field, so in particular when R = R{n, d) is an imaginary 
quadratic order. When i? is a Dedekind domain all nonzero fractional ideals are 
invertible, and Pic{R) = Cl{R) is the usual ideal class group. 

We abbreviate h{0{D)) to h{D), and li K = Q(-Do) is an imaginary quadratic 
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field, then the class number of if, denoted h{K), means the class number of the 
maximal order Ok of K. 

Until further notice we fix an imaginary quadratic order O, of discriminant D, 
and with quotient field K ~ Q{^/Dq). 

Fact 1. a) There exists at least one complex elliptic curve with O-CM. 
h) Let E, E' he any two complex elliptic curves with O-CM. The j -invariants j{E) 
and j{E') are Galois conjugate algebraic integers. In other words, j{E) is a root of 
some monic polynomial with "Z- coefficients, and if P{t) is the minimal such poly- 
nomial, P{j'{E)) = also. 

c) Thus there is a unique irreducible, monic polynomial H£){t) e Z[i] whose roots 
are the j -invariants of the various non-isomorphic O-CM complex elliptic curves. 

d) The degree of Hjj(t) is the class number h(0) = h{D) of the order O, so when 
O is the full ring of integers of its quotient field K , Aeg{H £,(t)) — h{K), the class 
number of K . 

e) Let Fd := <Q\t]/ H£){t). Then Fo can be embedded in the real numbers, so in par- 
ticular is linearly disjoint from the imaginary quadratic field K . Let Ku denote the 
compositum of F^ and K. Then Kjj/K is abelian, with Calois group canonically 
isomorphic to Pic(C'). Moreover, Ko/Q is Calois and the exact sequence 

1 ^ GaliKo/K) GaliKo/Q) ^ Gal(if/Q) ^ 1 

splits, i.e., G8lI{K]j/Q) is up to isomorphism the semidirect product ofPic(0) with 
the cylic group Z2 of order 2, where the map Z2 Aut(Pic(C')) takes the nontrivial 
element of Z2 to inversion: x 1-^ x~^ . 

References for this fact include: Cox |Cox89| and Silverman II ISil94j . 

This fact has many implications. First, it follows that one can define an O-CM 
elliptic curve over a number field F iff F D Fd- In particular, it follows that one 
can define an O-CM elliptic curve over Q iff h{D) = 1, which by the Heegner- 
Baker-Stark theorem is known to occur for exactly 13 values of D: 

D = -3, -4, -7, -8, -11, -12, -16, -27, -28, -19, -43, -67, -163. 

Let E : = -\- Ax -I- S be a complex elliptic curve in Weierstrass form. We 
define a Weber function h on E, as: 

h{x,y) ^xiiAB^Q, 
h{x,y) = a;2 if B = 0, 
h{x,y) ^ x^ ii A = Q. 

(The point of the Weber function is to make explicit the quotient map E — > 
E/ Aui{E) = Pi. See [SiMl Ch. II] for more details.) 

If E is defined over some subfield K of C, let K{E[N]) be the field extension 
of K obtained by adjoining the coordinates of all the A^-torsion points on E. 

The following is a celebrated classical result. 
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Theorem 8. (Weber) Let D he an imaginary quadratic order, and E/p^^ an Ok- 
CM elliptic curve. For any positive integer N , the field Q{\/—D, j{E), h{E[N])) is 
the N-ray class field of K ^ Q{V^)- 

Proof: See e.g. [SiMl Thm. II.5.6]. 

Corollary 9. Let K = Q(\/-Co) be m imaginary quadratic field, and let i?/^^^)^) 
be an elliptic curve with Ok -CM. Let N be an odd prime. Then 

mVD~o,jiE),hiE[N])) -.Qi^o^jiE))] - (^^ (^)) ' 

Proof: We deduce the corollary from the theorem using the description of the iV-ray 
class field K{N) of K provided by class field theory. Namely, consider the A^-ring 
class field L{N), & subextension of K{N)/K. Putting D ^ N'^ ■ Dq, we have 

Ga\{L{N)/K)^Pic{0{V)), 

whereas 

Ga.l{K{N)/L{N)) ^ (Z/7VZ)^/±1. 
Recall the relative class number formula ICox89[ Thm. 7.24] 

hjN^Do) _ iV-(^) 
h{Do) [Oi- :Ox]' 

Thus 

[Qi^o,j{E),h{E[N]) : Qi^o,j{E))] = [K{N) : 
^ [K{N) : K] ^ hiN^Do){N - 1) ^ N - 1 f _ f Do\\ 
[Kil):K] 2hiDo) w{K) ' \ \NJJ- 

2.2. The Galois representation. Let be a field of characteristic 0, E/p an 
elliptic curve, and N a positive integer. Let a E Galp — Aut{F/F). Let E[N] be 
the set of A^-torsion points on E over F; the action of Galp is seen to be Z/A^Z- 
linear, so E[N] may naturally be viewed as a Z/A^Z[GalF]-module. Recall that, 
as a Z/A^Z- module (or equivalently, as an abelian group), E[N] = Z/NZ x Z/A^Z 
|Sil86j . It is notationally convenient to choose such an isomorphism - i.e., to choose 
an ordered Z/A^Z-basis ei, 62 of i?[A^]. The Z/A^Z[Gali?]-module structure is then 
given by a homomorphism 

Pn : Gali. -> GL2(Z/A^Z), 

which we call the mod N Galois representation associated to E. Let M — 
F{E[N]) be the field extension obtained by adjoining to F the x and y coordinates 
of all the A^-torsion points. Then the kernel of pat is nothing else than Gal(F/M) = 
GalM, so Pn factors through to give an embedding 

PN ■■ Gal{M/F) ^ GL2(Z/A^Z). 

There is "a piece" of pat which is well understood in all cases. Namely, composing 
with the determinant map det : GL2(Z/A^Z) — > (Z/NZ)^ , we get a homomorphism 

det(pAr) : Gal(M/i^) -> (Z/A^Z)^. 

This homomorphism evidently cuts out an abelian extension of F, so can be viewed 
as a "character" of the group Gal(M/F). More precisely: 
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Theorem 10. We have det(pAr) = xn, where xn is the mod N cyclotomic 
character, defined as follows: 

XN ■■ Galp ^ Gsi\{F{CN)/F) ^ (Z/7VZ)^ 

where a e Galp <t G Gal(i^(Civ)/-F); m automorphism which is determined by 
its effect on a primitive Nth root of unity: 

for a uniquely determined element X-ZvCc) G Zi/NZ,^ . 
Proof: See [SiIMl Ch. III]. 

Corollary 11. We have det(/9jv(GalF)) — ^ iff F contains the Nth roots of unity. 
The following is a special case of an extremely important theorem of Serre: 

Theorem 12. (Serre's Open Image Theorem, non-CM Case |S72| ] Let E he an 

elliptic curve defined over a number field F , and suppose that E does not have 
complex multiplication. 

a) For all sufficiently large prime numbers i, pi : Galp — > GL2{Z/£Z) is surjective. 

b ) There exists a fixed number B such that for all N G Z+ , 

*--^-^^P-) = #,,(Gal.) 

In other words, part b) says the failure of all the maps piq to be surjective can be 
measured by a single finite quantity. Since 

GL2{'L/ti ■ ■ ■ IX) = GL2iZ/£iZ) x • • • x GL2iZ/£rZ), 

this in fact implies part a). Note also that we must allow some finite amount of 
nonsurjectivity, because we are considering an elliptic curve E defined over any 
number field. So for instance, start with E over Q and take F — Q{E[N]) to be the 
extension obtained by adjoining all the coordinates of the A^-torsion points. For 
this E/F one tautologically has pN{Ga\p) — 1. Serre himself noted that there is no 
elliptic curve over Q for which all the mod N Galois representations are surjective. 

2.3. Galois representation in the CM case. 

Our interest here is in the fact that this result fails in the presence of CM. 
We assume that N is an odd prime. 

Suppose first that E/F is a 0{D)-CM elliptic curve and that F contains the CM 
field K = Q(v^), so that the action of 0{D) is defined and rational over F. Then, 
in additional to its Z/iVZ[Gali?]-niodule structure, E[N] also has the structure of 
a O-module. Morever, the i^-rationality of the endomorphisms means precisely 
that for all a G GalF and tp G 0{D), we have aip = tpa, i.e., the two actions 
commute with each otherU In fact, since TV = in £'[Af], E[N] is naturally a 
0{D) (g> Z/NZ = 0(i:))/AfCi(i:')-module. 



^This can be expressed more concisely as the fact that E[N] is a [Z/NZlGalp], C'(D))-bimodule, 
but for our purposes there is no particular advantage to using this terminology. 
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Lemma 13. / 1Pari89( Lemma 1]) The N -torsion group E[N] is free of rank 1 as 
a (right) 0{D) ® Z/NZ-module, i.e., isomorphic to 0{D) ® Z/NZ itself. 

In particular, the natural Z/A^Z-linear action of 0{D) ® TLjNTL on E\N\ is faithful, 
so we have an embedding of Z/A^Z- algebras 

I : 0{D) (g) Z/NZ Eiid{E[N]) = A'hiZ/NZ). 

Let us denote the image of t by Cat. Now, for any a G Gal_F, the matrix pNi<y) gives 
an invertible 0{D) (g) Z/iVZ-hnear map of E[N]. Since the 0{D) (g) Z/iVZ-linear 
endomorphisms of the free one-dimensional module E[N] are precisely multiplica- 
tion by an element of 0{D) (g) "L/NI and the invertible ones are elements of the 
unit group of this ring, we conclude 

Pn{G&\f) C C^. 

This shows that the CM case is much different, because the Galois extension 
F{E[N])/F is in this case abelian and has size at most fl^C^, or approximately 
-/V^, whereas Serre's theorem asserts that in the non-CM case pAr(Gali?) has, for 
sufficiently large prime N, size # GL2(Z/A^Z) = {N^ - 1){N^ - N) ^ N"^. 

To give more precise results, we must consider separately whether N splits, stays 
inert or ramifies in 0{D). 

Case 1 (split case): (^) = 1. Then one sees (e.g. by direct computation) that 
Cat, as a Fjv-algebra, is isomorphic to Fat ® Fat; therefore the unit group is 
isomorphic to (Z/A^Z)^ ® (Z/iVZ)^. Thus there are precisely two one-dimensional 
subspaces Vi, V2 of E[N] which are simultaneous eigenspaces for Cn- By taking 
generators ei of Vi and 62 of V2 as basis, we get 



Cn = { 



a, be ¥n}. 



a 
b 

The same considerations show that there is, up to conjugacy, a unique subalgebra 
of M2(FAr) isomorphic to Fjv ® Fat; such an algebra is called a split Cartan sub- 
algebra and its unit group a split Cartan subgroup. 

Case 2 (inert case): (^) ~ —1. Then one sees that Cn — ^n^j a finite field 
of order iV^, so that is cyclic of order N'^ — 1. Again ones sees that ¥^2 is 
unique up to conjugacy as a subalgebra of M2(Fjv) (e.g. the result is a special case 
of the Skolem-Noether theorem on simple subalgebras of central simple algebras; 
or just do a direct computation). Such an algebra is called a nonsplit Cartan 
subalgebra and the unit group is called a nonsplit Cartan subgroup. 

Case 3 (ramified case): N divides D. Then ^ FAr[t]/(t^), i.e., is generated 
over the center (the scalar matrices) by a single nilpotcnt matrix g. Since the 
eigenvalues of g are FAr-rational, we can put g in Jordan canonical form, and this 
gives a choice of basis such that 



Cn^{ 



a b 
a 



a, be Fat}. 



Again Ca^ is unique up to conjugacy; for lack of a better name, we shall call it a 
pseudo-Cartan subalgebra. Evidently Cn = Zn-i © Zn = Zn'-^-n- 
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We now introduce a third operator on E[N]: by Fact 1 above, we can choose 
an embedding of K into C which carries into the real numbers. With this 

understanding, complex conjugation c induces an Fjv-linear automorphism of E[N]. 

Lemma 14. Let N be an odd positive integer. The characteristic polynomial of 
complex conjugation acting on the free 2-dimensional "L/NTi-module E[N] ist^ — 1. 

Proof: Clearly c satisfies the polynomial t^ — 1, so what we must show is that 
c^±l. Ifc=l then c acts trivially on each iV-torsion point and we would have 
dimz/Tvz -B[-/V](K) = 2. If c = — 1 then (since N is odd), c acts nontrivially on each 
A^-torsion point, and we would have dimi?[A^](R) = 0. But it is easy to see that 
the correct answer is dim£'[A^](R) = 1: indeed, a little thought shows that the one- 
dimensional compact real Lie group £'(R) is isomorphic either to (if a defining 
Weierstrass cubic has one real root) or to S*^ x Z/2Z (if all 2-torsion points (if a 
defining Weierstrass cubic has three real roots), and either way £'[iV](R) = Z/7VZ. 

Lemma 15. i^ [S67] . [S66] ) Let E/QiJo) be an 0{D)-CM elliptic curve, and let a 
be the nonidentity element of Aut{Q{j jj , ^/D) / Q{j d)) . 

a) As operators on E[N], we have a — c. 

b) Therefore Q{jD,E[N]) contains Q{VD) . 



There is also a natural nontrivial action of complex conjugation on 0{D), and the 
homomorphism t : 0{D) — s- End(£'[A^]) is c-equi variant: loc = col. This, together 
with the nontriviality of the c-action on 0{D), is equivalent to the fact that conju- 
gation by c stabilizes Cjv and induces a nontrivial involution on it. 



In the split case we find that, with respect to the chosen basis ei, 62 of Cn- 
eigenspaces, c is equal to either permutation matrix ' ^ 



1 



or its negative. Either 



way, the effect of conjugation by c is 





a 


■ 




■ b 


" 


c is 





b 


1 — > 





a 



Explicit computation 



shows that the Cartan subgroup has index 2 in its normalizer N{C^) 



In the inert case, conjugation by c stablizes Cn — Fjva and induces the unique 
nontrivial Galois automorphism, the Frobenius map: FrobAr : x 1— > x^ . The el- 
ements of N{C'^) \ correspond to Frobjv-semilinear automorphisms of the 1- 
dimensional Fjv2-vector space V — E[N], i.e., maps cr : V ^ V such that for 
v,u) £ V, a{vw) = Frobjv('y)cr(ti;). Such a map is uniquely specified by cr(l), so 
that #N{C^) \C^^N^^1, i.e., [N{C^) : C'^] = 2. 



In the ramified case, complex conjugation induces a nontrivial involution of the 
(non-semisimple) F^r- algebra Cat = ¥^[1]/ (t'^). The automorphism group Aut(CAr/F7v) 
is isomorphic to ^ -P^v-i ^ unique element of order 2, t 1-^ —t. Therefore 



conjugation by c has the effect 



a 


b ' 




a —b 





a 


1 — > 


a 



Note that this case is 



different from the previous two in that the normalizer of is the entire Borel 
a b 



subgroup { 







a,b,c £ ¥n, ac 7^ 0}. 



Given all this information, one readily deduces the following result: 
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Theorem 16. Let F be a number field, and E/p an elliptic curve with 0{D)- 
CM. Let M = F{E[N\) be the field extension of F obtained by adjoining x and y 
coordinates of all the N -torsion points of E. 

a) The CM field K = Q(-\/— -D) is contained in M , so we get a short exact sequence 
(8) 1 ^ Gal{M/KF) -> Gal(M/i^) -> Gal{KF/F) 1. 

b) Under the natural embedding pj^ : Gal{M / F) ^ GL2(¥n), the subgroup G8lI{M / K F) 
embeds in the unit group C^. 

c) The sequence (0) splits, with a splitting given by a choice of an involution 

This result gives upper bounds on the the degree [F{E[N]) : F] which improve 
upon the obvious bound of ^GL2{¥n): 

Corollary 17. a) If {§) = 1, then [F{E[N]) : F] \ 2{N - 1)2. 

b) If {§) = -1, then [F{E[N]) : F] \ 2{N^ - 1). 



c) If i§) = 0, then [F{E[N]) : F] \ 2{N^ - N). 



■ D_ 

■ N 

Proof: Using the exact sequence ([S]) we see that 

#Gal(M/F) ^#G&l{M/KF) • #Gal(if/F) | #{CnV -2. 

And we know that has order {N— 1)^, {N'^ — 1) or iV^ — N according to whether 
N sphts, is inert, or is ramified in 0{D). 

The slogan here is that the image of the Galois representation pjv should be "as 
large as possible" , up to a factor which is uniformly bounded as N varies, but in the 
CM case GL2{^n) is impossibly large. The correct answer is again due to Serre: 

Theorem 18. (Open Image Theorem, CM case S66j Let F be a number field 
and E/p be an elliptic curve with O-CM. Then for all sufficiently large primes N , 
we have: 

• pn{Gs1p)) — N{Cn), if K = Q{V—D) is not contained in F, 

• PNiGidp)^C^, ifKcF. 

Since Serre's theorem only holds for sufficiently large primes N, the case of | I? 
can be completely ignored. Nevertheless Theorem [TH] tells us to "expect" that the 
Ai"-torsion fields will be as large as possible. In the next section we use elementary 
group theory to deduce consequence for the least degree of an A^-torsion point. 

2.4. Orbits under C^ and applications. 

We maintain the notation of the previous section: E/p is an elliptic curve with 

C'(D)-CM; A^ is an odd prime number; Cat = l{0 Z/NZ) C End{E[N])] is 
the unit group of Cat; N{C^) is the normalizer. 



(i) If {%) = 1, the two one- dimensional eigenspaces for Cn give two orbits of size 



2 



Lemma 19. a) The orbits of C^ on E[N] \ {0} are as follows 

--N 

N — 1; all the remaining points lie in a single orbit of size (N — 1) 
(^^) If (#) = -1. E[N] \ {0} forms a single C^-orbit. 

(Hi) If {^) = 0, the unique one- dimensional eigenspace for Cm gives an orbit of 

size N — 1; the remaining points form a single orbit of size N"^ — N . 

b) If (^) = 1, the two orbits of size N ~ 1 for C^ form a single orbit for N{C^). 
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Proof: A pleasant elementary computation that we leave to the reader. 

In the statement of the following result we employ the following convention: if 
p and q are nonzero rational numbers, we say p | g if ^ € Z. 

Corollary 20. Let E/p be an 0{D)-CM elliptic curve defined over a number field 
F. Suppose that the image p]\r{GalKF) of the mod N Galois representation has 
index I in C^. Let P G EiC) be any point of exact order N , and let F{P) be the 
extension of F obtained by adjoining the coordinates of P. 
(i) If (^) ^landVD(£F, then 7(A^ - 1) | [F{P) : F] 
(a) If {§) ^landVD is not m F, then f | [F{P) : F]. 
(m) If {§) = -1, then \iN^ - 1) | [F{P) : F]. 
H If {§) = 0, then ^{N~l)\ [F(P) : F]. 

Proof: Consider of field extensions F C F{P) C F{E[N]). Then F{E[N])/F{P) 
is Galois, with Galois group canonically isomorphic to pjv(Gali?) n G{P), where 
G{P) C GL2(Fjv) is the stabilizer of the point P. By the orbit-stabilizer theorem, 
[F{P) : F] is equal to the orbit of P under the action of Galp. 

In case (i) we have ^/D € F, so that the image of Galois lies in the split Cartan 
subgroup —W^ ®¥^. By Lemma [T9l the fuU C^-orbits have sizes N ~ I and 
{N — 1)^. Since we are assuming that [C^ : pN{Ga\p)] \ I, it follows that every 
PAr(GalF)-orbit has size a multiple of Case (ii) is similar except in this case 

replace the gcd of all sizes of orbits with the gcd of all sizes of -/V(C^)-orbits, 
which according to Lemma fT9l is 2{N — 1). Parts (iii) and (iv) are similar, except 
here it does not matter whether ^/D lies in the ground field F: in case (iii) this 
is because the orbit size for is already as large as possible; in case (iv) this is 
because the minimal C^-orbit is stable under complex conjugation. 



3. Proof of Theorem [T] 

As in Remark 1.2, Theorem [T^) is precisely the D ~ —3 case of Theorem [5^). 
Indeed, for D = —3, w{D) = 6, and an odd prime splits completely in Q(V— 3) iff 
N=l (mod 3). 

Now suppose we have an 0{D)-CM point on Xi{N) of degree D. If 13 = —3, 
then according to Theorem [31 if iV is greater than or equal to some absolute con- 
stant TVi, we have d > ^ if iV = 1 (mod 3) and d > if iV = -1 (mod 3). 

The second case is D = —4, so w{D) = 4, and then Theorem [3] says that for 
N greater than or equal to another absolute constant 7V2, we have d > ^^^^ if 
N = 1 (mod 4) and d > if iV = -1 (mod 4). 

The third case is any other D, so w{D) = 2 and then by Theorem 11.31 d > ^^y^- 
Altogether we see that if > max(5, A^i, A^2) then d > -^^^ in all cases, equality 
can be met iff A'' = 1 (mod 3) (necessarily for an ©(— 3)-CM elliptic curve of j- 
invariant 0), and the next smallest possible degree is ^^y^, for an ©(— 4)-CM elliptic 
curve of j-invariant 1728. This completes the proof of Theorem [1] 
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4. Proof of Theorem [2] 

Let N be an odd prime number; let K — Q(a/Do) be an imaginary quadratic 
field; and let E^p be an Ok-CM elliptic curve. Suppose that there exists a point 
P e E{F) of order N. Let M be the compositum of the CM field K with the 
iV-torsion field F{E[N]). We know that K{j{E)) = K{1) is the Hilbert class field 
of K and M/K{N) is abelian of degree divisible by ■ {N- (^) ) by CoroUaryEl 

Split case: (-^) — 1- We know that Gal{AI / K {!)) is contained in a split Car- 
tan subgroup C{N) = {Z/N - YLf of GL2(Z/7VZ) with index dividing w{K). If 
we had equality - i.e., \M : K(\)\ ~ {N — 1)^ - then by the work of the previous 
section, for any A^-torsion point P G E{C) we must have — 1 | [K{1){P) : K]. 
Moreover, as we saw above, passing to a subgroup of index i cuts down this degree 
by at most a factor of i, so 



A^- 1 



[K{1){P):K{1)], 



w{K) 

■{N-l)\ [K{l)(P):K] I [KF:K] 
S{F,K) ■ [KF ■.K]^[F: Q], 



and therefore 

h{K) 
w{K) 

Since 

Theorem [2Ji) follows. 

Ramified case: (■^) = 0. In this case Gal(M/ii'(l)) is contained in a pseudo- 
Cartan subgroup ^ "L/NZ x Z/N -I of GL2(Z/7VZ) with index dividing w{K). 
As above, the smallest orbit of on the iV-torsion has size TV — 1, leading to the 
bound 

^^(iV-l)IIF.QI^ 

In this case, G&\{KF/K) acts trivially on the unique iV-torsion subgroup stabilized 
by C^. From this, one sees that we gain an extra factor of 2 iff X does contain F, 
giving the divisibility relation as in Theorem [^b) . 

Inert case: 

{^2.) ^ _i. In this case Ga\-{M/K{\)) is contained in a nonsplit 
Cartan subgroup ^ {Z/{N'^ - l)Z) of GL2(Z/iVZ) with index dividing w{K). 
As above, the A^-torsion points form a single orbit under C^, so arguing as in the 
split case we get 

^.(A^^-1)|[F:Q]. 
w[K) 

This completes the proof of Theorem [2] 

5. Proof of Theorem [3] 

5.1. A technical lemma. 



Let w he a, positive even integer, and let C = Ctu = g2iri/to ^ primitive wth 
root of unity. Let G = (s | s"" = 1) be a cyclic group of order w. Let M be an 
abelian group endowed with the following additional structures: 



18 



PETE L. CLARK, BRIAN COOK, AND JAMES STANKEWICZ 



• a Z-linear action of G, and 

• A ring homomorphism Z[C] — > End(M). 

We require first that C,^ ■ x = —x for all x € M. We also require that these 
two actions commute with each other: for all x e M, Qax = aQx. 

For i e Z/wZ, we define Mi = {x £ M \ ax = Qx), and 

M= Mi. 

Consider the Z-module homomorphism $ : M — > M given (xi) i— > X^^arj- Let 
$ = $ «)z Z[^] : M' = M ® Z[i;] ^ M' = M ® Z[^]. 

Lemma 21. Soift kcr($) a^rf coker($) are w -torsion Z-modules. It follows that: 

a) The map $ is an isomorphism of Z[—]-modules. 

b) We have dimQ(Af (g) Q) = dimQ(M (g) Q), and for any prime p not dividing w, <i? 
induces an isomorphism from the p-primary torsion subgroup M\p°°\ of M to the 
p-primary torsion subgroup M\p°°] of M. 

Proof: It is enough to show that the kernel and cokernel of $ are w-torsion; for if 
so, tensoring the short exact sequences 



^ ker($) ^ M ^ $(M) ^ 



and 



M/ kcr($) ^ M ^ cokcr($) ^ 
of Z-modules with the flat Z-module Z[^] shows that <E> is an isomorphism. 

Step 1: We show ker($) = ker($)[w]. Let P = (Pq, • • • , -P«j-i) be an element 
of ker so that 



0. 



Applying cr, we obtain 



Po + CPi + --- + C-^Pw-i 



0. 



Applying a w — 2 more times, we arrive at the matrix equation AP = 0, where 

\ 



A-. 



( 1 1 

1 c 
V 1 



1 

^10 — 1 



(iw-\){w-\) ^ 



It is therefore also a solution to A^P = 0, where 



A' 



/ w 




: 
\ u; 



... \ 

w 



w 




/ 
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Thus wPo = wE^-i = • • • = wPi = 0, i.e., wP = 0. 

Step 2: We show coker((f>) — coker($)[it;]. Let P £ M . Define a. w y. w matrix 



B 



(P a{P) a^{P) ... a^-\P) \ 



y p ('(■^-'^)a{P) C~2("'^i)(t2(P) ... (■"(™-i)(«'-i)o-"'-i(P) J 

Notice that the sum of all the entries of B is wP: indeed, this is the sum of the 
entries in the first column, and since for any j ^ (mod w) we have Y^^=l^ C = 0; 
each of the other columns sums to 0. Now for 1 < i < w, put 

w — l 

Then 

W — l W — l 

^(^0 = C'^'^y'^^^P) = C (-('^+i)v'^+i(P) = CP, 

so Pi-1 G Mi. Therefore 

i«P = $((Po,...,P^_i)) e$(M). 

This completes the proof of the lemma. 

5.2. Application to the proof of Theorem [3l 

Now let O be an imaginary quadratic order of discriminant D, K = Q(\/D), and 
let > w = w{0) be a prime which splits in K . Let Ko = K{jD), and let E/Kd 
be an O-CM elliptic curve. By the work of §2.3, we know that there exists an ex- 
tension Ko{P)/Kd: which is cyclic of degree dividing iV — 1, such that over Kd{P) 
E has a point P of exact order N . Let us first assume that \Kd{P) : Kn] = N — 1; 
afterwards we will discuss how to modify the argument to deal with the case in 
which the degree strictly divides iV — 1 . 

Our assumptions imply that = 1 (mod w). Therefore, by Galois theory, there 
exists a unique subextension Kd C L C Kd{P) with G = Ga\{KD{P)/L) cyclic of 
order w. Now we are in the setup of the previous section: take M — E{Kd{P)); 
the G-action is the restriction of the natural Gal(ifD/iir£))-action on E{Kd{P)), 
the Z[C]-action comes from the fact that O = End(ii^) contains the wth roots of 
unity, and the compatibility of these two actions is a consequence of the rationality 
of the endomorphisms over Kd (hence also over L). Since E{Ko{P)) contains a 
point whose order is a prime N not divisible by w, by Lemma [5T] there exists some 
i G 'Ljwl such that Mi contains an element of order A^. 

Using the theory of twisting in the Galois cohomology of elliptic curves, we may 
interpret Mi as the group of L-rational points on a ii'i:i(P)/L- twisted form of the 
elliptic curve E. Specifically, the set of such twisted forms are parameterized by 

H^{Q&\{KD[P)lL),kvX{E)) = Hom(G,Z/wZ) = Z/wZ, 

the last isomorphism being given by 

((^ : G ^ Z/wZ) ^^{a). 
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Corresponding to — C'^ ^ Z/wZ we build a twisted Gal(i4r£)(P)/L)-action on 

a -i X := C~Vx. 

This is exactly the relation defining Mi. In other words, the abstract decomposition 
of the Z[:ij]-module M' ^ M' corresponds to a decomposition of the Mordell-Weil 
group - up to w-toTsion- of E{K£){P)) into a direct sum of the Mordell-Weil groups 
of the w different twists of i?/^ via the cyclic extension Ko{P)/L and the automor- 
phism group of E. (When w = 2, this result - decomposition of the Mordell-Weil 
group under a quadratic extension - is very well known.) Thus we have produced 
an O-CM elliptic curve over a field of degree ^^p)"'' with a rational A^-torsion point, 
giving the statement of Theorem [3^) • 

It remains to deal with the case in which d — [Kd{P) '■ K] strictly divides A^ — 1. 
If w I d, we can run through the above argument verbatim, getting in fact an O-CM 
elliptic curve with a rational A^-torsion point over a field of degree which is a 
priori stronger than what we are trying to prove. This necessarily is the case if 
w = 2. If w = A and d is a multiple of 2 but not a multiple of 4, we run through the 
above argument using quadratic twists instead of quartic twists. If w = 6 and d is 
a multiple of 2 but not of 6, then we run through the above using quadratic twists 
instead of sextic twists. One sees easily that we get exactly the same bounds. This 
completes the proof of Theorem |3^). 

Proof of Theorem Suppose first that N is an odd prime with (^) = 1. Let 
Fd = Q{j{E)) — QUd) be the number field generated by the j-invariant of the qua- 
dratic order 0{D), and let E^p^ be any C'(£')-CM elliptic curve. Serre's Theorem 
[TH]says that there exists Nq = No{D) such that if N > Nq, the image pNiGalpo) 
in GL2(F7v) will be N{C^), the normalizer of a split Cartan subgroup, and then 
Corollary [201 appfies to show that the least degree [Fd(F) : i^/j] is a multiple of 
2(iV - 1). 

Now suppose that we have any number field F, E'^p an C'(Z?)-CM elliptic curve 
with an .F-rational point of prime order N > Nq. The theory of twisting - to- 
gether with the Kummer isomorphism {Galp , fid) — F^/F^'^ - implies first 
that F D Fd, and second that there exists an extension L of F, of degree w{0) 
such that = F'^L- Therefore, since E' has an F-rational torsion point of order 
N, E has an L-rational torsion point of order N, so 

2{N - 1) I [Fd : Q] I [i : Fd][Fd : Q] ^ [L : Q] ^ [L : F][F : Q] ^ wiO)[F : Q], 

and hence 

2{N-1) 



w{0) 



F 



The argument in the case (^) = —1 is quite similar: then there exists Nq such that 
N > Nq implies that, for our fixed E^p^^ as above we have [Fd{P) ■ Fd] = N'^ — 1 
(note that this is the order of the stabilizer of P in all of GL2{¥n), hence the 
largest possible order, so there is no further contribution coming from the action of 
complex conjugation) and arguing as before we get 

N^ - 1 
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Since we are taking N arbitrarily large compared to -D, we do not have to worry 
about the ramified case. 



For a negative quadratic discriminant D, write doiN) for the least degree of an 
0{D)-CM point on Xi{N), and dcuiN) for the least degree of a CM point on 
Xi{N), so dcM{N) = mini, doiN). 

We will need the following two estimates: 

Lemma 22. Suppose D is a positive integer and N a prime, with {-^) — 1- Then 
there exists a CM point on Xi{N) of degree dividing 2{N — l)h{Q{\/—D)). 

Proof of Lemma [HI this is an immediate consequence of the theory of Galois 
representations on CM elliptic curves as recalled in §2.3. 

Lemma 23. As D tends to — oo through quadratic discriminants (i.e., D = 0,1 
(mod A)), the class number h{D) of the imaginary order of discriminant D is 
0{Vd log D). 

Proof: A consequence of Dirichlet's class number formula; see e.g. jCoh07[ § 4.2]. 

Proof of Theorem H If TV = 1 (mod 4), by Theorem [3] we have dcM(^) < 
This is stronger than the bounds we are claiming for arbitrary N, so we may assume 
that N = -1 (mod 4). 

For such N, let D be a negative quadratic discriminant not divisible by N. Then 



so we are interested in the least positive integer M which is first, a quadratic non- 
residue modulo N and second, is congruent to or —1 modulo 4, so that —M is an 
imaginary quadratic discriminant. 

In fact this latter condition is nothing to worry about: let M be the least posi- 
tive quadratic nonresidue modulo N. Then certainly M is squarefree, so M is not 
(mod 4). If M = -1 (mod 4), then D = -M is the discriminant of Q(V^M). 
If Af = 1,2 (mod 4), then it is not — M but —AM which is the discriminant of 
QiyZ—M). But if M is a quadratic nonresidue modulo the odd prime N, so is AM, 
and if we know that M = 0{f{N)) for some function /, then of course the same 
holds for AM. 

So what is the order of the least quadratic nonresidue modulo A^? This is a fa- 
mous classical problem. The trivial bound - taking into account only that there are 
in all '^^^ quadratic nonresidues - is ^ , but a bit of thought and experimentation 
suggests that M should be considerably smaller than this. Long ago Vinogradov 
conjectured that M = 0^{N'^), i.e., that M grows more slowly than any power of iV, 
but we are still far away from an unconditional proof of this. In 1952 N.C. Ankeny 
showed that, conditionally on GRH, M = 0{(logN)'^) [Ank52| . In his review of 
this paper |Erd52j . P. Erdos remarks that it is known that M is not 0{logN), so 
that Ankeny's bound seems to get admirably close to the truth. Vinogradov himself 
was able to show unconditionally that M = o{N); for more than fifty years, the 
best unconditional bound has been due to D.A. Burgess: M — Oe(A^^+'), where 



6. Proof of Theorem [H 
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c = = 0.15 ... is "Burgess' constant" |Bur57| . 

So, for a large prime N, let M be the least quadratic nonresidue modulo N and 
D = ~M if M = -1 (mod 4) and D = -4M otherwise. Applying Lemma [22l and 
then Lemma [23l we get 

dcuiN) = 0(A^/ip)) = 0(7V/^log|i^|). 

Substituting in the unconditional Burgess bound for D, we get 

dcuiN) = 0,(iVi+=/2+^/2log(7V=+')). 

That this bound hold for all e > is equivalent to 

dcuiN) = 0,iN'+-/^+'). 

Applying instead Ankeny's bound, we get, conditionally on GRH, 

dcuiN) = 0(A^ V(log N)^ log(log N)^ = 0(7Vlog7VloglogiV). 

7. Proof of Theorem [5] 

Although not necessary from a logical point of view, we believe it will make for 
easier reading if we discuss first the special case in which the endomorphism ring is 
the maximal order and second the (less) special case in which the conductor of the 
order is prime to N before discussing the general case. 

Case 1: fundamental discriminants Suppose that there exists some positive 
number C such that for every odd prime N, there exists a point on A'i(A'^) with 
CM by the full ring of integers of some imaginary quadratic field, and of degree at 
most CN. We will derive a contradiction. 

H := 6C + 1. Recall that the set of negative quadratic discriminants D such 
that hiD) < H is finite |Deu33| . |Hei34j . |Sie35| . Let us write out this set as 

Let Vi be the set of primes which are 1 (mod 4) and divide Dk for some 
1 < k < n. Put R — 4KPi- Similarly, let Vz be the set of primes which arc 3 
(mod 4) and divide some Dk- Put S = #7^3. 

Lemma 24. The set Vh of odd primes N such that {(^) = -1 VD | /i(D) < H} 
is infinite; indeed it has density at least (i)^^'^^'^. 

Proof: Let N be any prime number satisfying: 

(i) TV EE 7 (mod 8); 

(ii) (^) = lforallpe7'i. 

(iii) (f ) = -1 for all q e Vs. 

By the Cebotarev density theorem (or even the quantitative version of Dirichlet's 
theorem on primes in arithmetic progressions) , the set of such primes N has density 
(i)fl+S+2^ We claim that aU such primes lie in Vh- Indeed, we may write 

1' s 

D, = {-!)■ 2«+V . . -prqi ■■■qs = i-l)^+'2^+''l[p, n(-«^)' 

i=i j=i 
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where a, 5 G {0, 1}, pi G Vi and qj e Vz- Then 




Let iV > iJ be a prime in Vhi and let D be any negative quadratic discriminant. If 
(^) = then by Theorem [3 we have dniN) > ^ , which for sufficiently large 
N, is greater than CN. Otherwise (^) ^ —1, and by Theorem [2] we have 

doiN) > ^{N - 1) > f (TV - I) > 

O D 

since N > H. 



Case 2: Orders of conductor prime to N: Suppose that 0{D) is an order 
of conductor / in the imaginary quadratic field K = Q(v^Z?o); let F be a number 
field and £'/^ be a O-CM elliptic curve. 

Proposition 25. there exists an F-rational isogeny l : E E' , where E'jp is an 
elliptic curve with Ok -CM. Moreover l is cyclic of degree f . 

This is "well known" , but lacking a convenient reference we shall sketch the proof. 
Over the complex numbers we may view E as C/O, and then the map is just the 
natural map C/O — > C/Ok- The rationality of the map over F follows easily from 
the fact that O is the unique subring of Ok of index /. 

The isogeny t induces a homomorphism of Mordell-Weil groups l{F) : E{F) — > 
E'{F). According to the Proposition, the kernel of i{F) is /-torsion. Moreover, 
using the existence of a dual isogeny : E' E such that o l — [/] , lo — [/] , 
one sees that also the cokernel of l{F) is /-torsion. In particular, if N is an odd 
prime with (iV, /) = 1, then 

l{F):E{F)[N]^E\F)[N]. 

In particular, if E has an _F-rational torsion point of order N , so does E' . From 
this it follows that - still for N prime to / - the least degree of an C'(/^_Do)-CM 
point on Xi{N) is at least as large as that of an C'(£'o)-CM point on Xi{N). That 
is, we have succeeded in reducing Case 2 to Case 1. 

Case 3: General Case: Finally suppose we have D ~ PDq with N \ /, and 
consider an C'(Z?)-CM elliptic curve E defined over a number field F, with an 
F-rational A^-torsion point. To simplify the analysis, we assume F contains the 
CM- field K (this extra factor of 2 will not effect the asymptotic analysis) . 

The above geometric description of the isogeny t shows that dim^^ ker(t) n E[N] = 
1, i.e., there exists a single point Pq € E[N](C) such that (Pq) = ker(t) n E[N]. 
Consider first any A^-torsion point P which is not in (Pq). Then l{P) is an F- 
rational point on the 0{Do)-CM elliptic curve, i.e., as in Case 2, we immediately 
reduce to Case 1. So it suffices to assume that the point Pq is F-rational and derive 
lower bounds on [F : K] . 
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As in §2.3, Case 3, the mod N Galois representation pN ■ Galp ^ GL2{'Z/N'Z) is 
contained in a "pseudo-Cartan subgroup" ; taking an ordered basis with Pq as the 
first vector, we have 

a b 
a 



p(GalF) CC^^{ 



So our assumption that Pq is i^-rational means precisely that 

1 b 



piGalp) C { 



1 



6e Fat}. 



Thus det(p(GalF)) = 1, so by Corollary [JT] we deduce F D K{Cn)- Now K{Cn) 
and the ring class field K{j{E)) are extensions of K of degrees at least -^^^^ and 
^^^g^ respectively. Moreover, Fact le) implies that, loosely speaking, these two 
extensions are close to being disjoint over K, so that K{(n , j{E)) has degree at 
least a universal constant times (N — 1)^. 

Let us now see this in more detail: let E" be an elliptic curve with 0{N^Dq)- 
CM, i.e., with the same CM field but conductor N instead of its multiple /. By 
class field theory K{j{E)) C K{j{E")). But K{j{E")), being the ring class field 
of conductor N , is contained in the TV-ray class field K{N), whereas explicit class 
field theory shows Gal{K{N)/K) is a finite abelian group with either 1 or two 
generators. Therefore the degree of the maximal exponent 2 abelian subextension 
of K(j{E))/K is at most 4. Combining all estimates, we get 

[F:K]>[Kij{E),CN):K]>^-^^i^. 
This is obviously not 0{N), so the proof is complete. 

8. Proof of Theorem [H] 

Here, briefly, is the idea: Start with E/Q of j-invariant 0. Enumerate the odd 
primes Pn which are 1 mod 3 (hence split in Q(\/^3)). Let Kn be the least field 
over which E acquires a point of order iV„ := pi ■ ■ ■ pn- The degree of this field is 
at most 

n 

2l[{p^-l)^2^{Nr,), 

i=l 

and it is known that ^ 3> log log iV„ . 

Proof: Let K = QiV^), and E/^ an e'(-3)-CM elliptic curve (e.g. y'^ = + 1). 
Let pi < p2 < ... be the primes congruent to 1 (mod 3), i.e., the primes which 
split in K . It follows from the material reviewed in §2.3 that for each i there is a 
point Pi on E of order i, such that [K{Pi) : K] \ {pi — 1). Thus, for any positive 
integer n, the field L„ :— K ({Pi}f^^) has a point of order iV„ = pi ■ ■ ■ Pn (namely 
Pi + . . . + P„) and 

n 

d„ := [L„ ■.K]<2 \{{p, - 1) = 2(^(iV„). 
1=1 

Then 

|g(i^»)[tors]| ^ Nn 
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and to complete the proof it is sufficient to establish the following 
Claim: There exists C > such that for all sufficiently large n, 

^" > CVlog(log(d„)). 



The proof of the claim rests on an asymptotic formula due to Mertens, namely 

where the product is taken over all primes less than or equal to x, and 7 is Eulcr's 
constant |BD041 Cor. 6.19]. From the Prime Number Theorem for Arithmetic 
Progressions [BD04!, Thm. 9.12], it follows that 

p<x,p=l(3) ^ ' 



Let us now write 



Then we have 



1 p<a:(n),p=l(3) 

^" -^/Vlog(a;(n)). 



Again applying the Prime Number Theorem for Arithmetic Progressions, it follows 
that log(x(ri)) ~ log(n), and also that 

n n n 

log(7Y„) = ^ log(p,) - 2 ^ i log(i) - 2 logn ^ ^ n(n + 1) log(n). 

i—1 i—1 i—1 

This implies that log(log(A^n)) ^ log(^) ^ \og{x{n)). Thus 

^ e-^/Vlog(log(iV„)) > e-^/Vlog(log(¥>(A^„))) > e"^/ Vlog(log(d„/2)), 
which is sufficient to give the result. 

Remark 8.1: The reader may be wondering whether we could have done better 
by applying Theorem [1] which says that we can get an ©(— 3)-CM point of degree 
However, the factor of 6 that we gained in the proof of this result was via 
our ability to make a single cyclic twist to get more torsion. However we cannot 
independently make cyclic twists for each prime pi. Thus we could improve d„ 
to "^^Pi^^P") but not to ^Lp{pi ■ ■ -pn)- In fact Serre's Theorem (Theorem [TE\i im- 
plies that among constructions working with a fixed elliptic curve, or even a fixed 
j-invariant, our lower bound is asymptotically optimal. 

9. Proof of Theorem [7] 

Theorem 26. (Abramovich, |Abr96j ] LetT C PSL2{'^) be a congruence subgroup, 
and Xr — r\7i the corresponding modular curve. The gonality of Xr is at least 
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Remark 9.1: This result uses results of differential geometry and spectral theory, 
including an upper bound on the leading nontrivial eigenvalue for the Laplacian on 
the Riemannian manifold Xr'. Abramovich's theorem uses the bound Ai < j^, due 
to Luo, Rudnick and Sarnak. Selberg has conjectured that Ai < i, which would 
allow replacement of by 

Theorem 27. (Fallings, Frey |Fre77| ) Let X be a curve defined over a number 
field K with at least one K -rational point. If, for any positive integer d, X/j^ has 
infinitely many points of degree d, then ^ GonK{X) < d. 

Remark 9.2: The hypothesis is satisfied for all classical modular curves Xr uni- 
forniized by congruence subgroups of PS'L2(Z) since such curves always have a 
cusp rational over their "reflex field" K {K = Q for the curves Xi{N)). 

When iV is prime, the index of Ti{N) in PSL2{Z) is Thus we get 

Gonc(Xi(7V))> ^(iV2-l) 

unconditionally, and 

Gonc(Xi(iV))>^(iV2-l) 
conditionally on Selberg's eigenvalue conjecture. 

Therefore we get 

i GonQ(Xi(iV)) > i Gonc(Xi(iV)) > ^{N^ - 1), 

so if d < [3^(^^ ~ 1)] ~ 1 there are only finitely many points of degree d. Thus 
in the statement of Theorem 3 we can take for Ci any constant less than , and 
if Selberg's eigenvalue conjecture holds, we can take any constant less than 

For part b) we need two facts. First, for a curve X of genus g >2 over any field 
K, one can get a degree 2g — 2 map to the projective line by taking an element 
/ of the complete linear system associated to the canonical bundle f^x/K' 
therefore Gonx(X) < 2g{X) — 2. Second, for iV > 3 prime, the genus of Xi{N) is 
N^-i2N+ii . g_g^ IJKPQ61 Theorem 1.1]. 
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